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Abstract 

In 1977, Adleman, Manders and Miller had briefly described how to extend their square 
root extraction method to the general rth root extraction over finite fields, but not shown 
enough details. Actually, there is a dramatic difference between the square root extraction 
and the general rth root extraction because one has to solve discrete logarithms for rth root 
extraction. In this paper, we clarify their method and analyze its complexity. Our heuristic 
presentation is helpful to grasp the method entirely and deeply. 
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1 Introduction 

Root extraction is a classical problem in computers algebra. It is essential to cryptosystems 
based on elliptic curves [2j. There are several efficient probabilistic algorithms for square root 
extraction in finite fields, such as Cipolla-Lehmer [6l[7], Tonelli-Shanks \10\ I12j and Adleman- 
Manders-Miller yy. All of them require a quadratic nonresidue as an additional input. In 
2004, Miiller investigated this topic in Ref.[H]. In 2011, Sze [H] presented a novel idea to 
compute square roots over finite fields, without being given any quadratic nonresidue, and 
without assuming any unproven hypothesis. 

Adleman-Manders-Miller square root extraction method can be extended to solve the general 
rth root extraction problem. In recent, Nishihara et al. p] have specified the Adleman-Manders- 
Miller method for cube root extraction. Barreto and Voloch [2j proposed an efficient algorithm 
to compute rth roots in F^m for certain choices of m and p. Besides, it requires that r ||p — 1 
and (m, r) = 1, where the notation a^'Wc means that is the highest power of a dividing c. 

The basic idea of Adleman-Manders-Miller square root extraction in Fp can be described 
as follows. Write p — 1 in the form 2* • s, where s is odd. Given a quadratic residue 6 and a 
quadratic nonresidue p, we have 

{6'^''' = 1 (mod p), {p'f'' = -1 (mod p) 
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If t > 2, then {5''f' ^ (mod p) G {1, -1}. Take fci = or 1 such that 

{6'f~' {p'f~"-^' = 1 (mod p) 
Since ((5*)^ [p'^)"^ (mod p) € {1, —1}, take A;2 = or 1 such that 

{5^f-\p^f-''Hp'f'''^^H^odp) 

Likewise, we can obtain ^3, • • • , kt-i € {0, 1} such that 
Thus, we have 

It should be stressed, however, that there is a dramatic difference between the square root 
extraction and the general rth root extraction. Write p — 1 in the form r* • s, where (r, s) = 1. 
Given a rth residue 5 and a rth nonresidue /o, we have 

(5^)"'"' = 1 (mod p), (p^)"*"' ^ 1 (mod p) 

£ — 2 

Since {d'^Y (mod p) is a root of the equation X''' = 1 (mod p) and the equation has r different 
roots (these roots can be represented by {p'^)^''^ , /cj G {0, 1, • • • , r — 1}), it becomes difficult 
to find ki such that 

{5Y~' {pY~''^' = 1 (mod p) 

In 1977, Adleman, Manders and Miller |lj had presented a brief description on how to 
extend their square root extraction method to the general rth root extraction over finite fields, 
but not shown enough details. By the way, it is the only known method for the general rth root 
extraction over finite fields. In this paper, we clarify their method and analyze its complexity. 

2 Preliminary 

Let Zn = {0, — 1} be the set of all numbers smaller than n, Z* = {x\l < x < 

n and gcd(x, n) = 1} be the set of numbers in Z„ that are coprime to n. The following 
definitions and results can be found in Rcf. [4J. 

Definition 1. A residue a Z^ is said to be a quadratic residue if there exists some x Z* 
such that x? = a (mod n) . If a is not a quadratic residue, then it is referred to as a quadratic 
non-residue. 

Theorem 2. (Euler's Criterion) For prime p, an element a (z Z* is a quadratic residue if and 
only if = 1 (mod p). 
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Definition 3. (Legendre Symbol) For any prime p and a ^ Z*, we define the Legendre symbol 



1 if a is a quadratic residue (mod p) 

— 1 if a is a quadratic non-residue (mod p) 



For an integer a, we define log(o) to be the number of bits in the binary representation of 
\a\; more precisely, 

' Llog2|a|J+l if«/0 
1 if a = 



log(a) 



Given a ^ and a non-negative integer e, the repeated-squaring algorithm computes 
(mod n) using just 0(log(e)) multiplications in Zn, thus taking time C'(log(e)log^n). There- 
fore, we have the following result: 

Proposition 4. For an odd prime p, we can test whether an integer a is a quadratic residue 

(p-i) 

modulo p by either performing the exponentiation a 2 (mod p) or by computing the Legendre 
symbol ^ . Assume that < a < p. Using a standard repeated squaring algorithm, the former 
method takes time 0{log'^p), while using Euclidean-like algorithm, the latter method takes time 
Oilog'p). 

Proof. See [5]. 

Let i? be a ring. Let us define the length of a polynomial f{X) E denoted by log(/), 

to be the length of its coefficient vector; more precisely, we define 



log(/) 



deg(/) + l if//0 
1 if / = 



Analogous to algorithms for modular integer arithmetic, we can also do arithmetic in the 
residue class ring R[X]/{f), where / G R[X] is a polynomial of deg(/) > whose leading 
coefficient lc(/) is a unit. 

Proposition 5. Let R[X]/{f) be a residue class ring, where f € R[X] is a polynomial of 
deg(/) > whose leading coefficient lc(/) is a unit. Given g S R[X]/{f) and a non-negative 
exponent e, using repeated-squaring algorithm we can compute g^ taking C'(log(e) deg(/)^) op- 
erations in R. 

Proof. See [3J. 

Notice that using a standard representation for Fp, each operation in Fp takes time 0{log^p). 

3 Adleman-Manders-Miller square root extraction method 

The Adleman-Manders-Miller square root extraction method requires a quadratic non-residue 
as an additional input. We classify the method into two kinds because there is a gap between 
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the base field Fp and the extension Fpm. to test whether an element is a quadratic non-residue. 

3.1 Adleman-Manders-Miller square root extraction method in Fp 

Consider the problem to find a solution to the congruence X'^ = 5 (mod p) over finite field Fp, 
where p is an odd prime. 

Adleman, Manders and Miller [T| proposed an algorithm to solve the problem. Their square 
root extraction method is based on the following facts. Write p — 1 in the form 2* • s, where s is 
odd. Given a quadratic residue 6 and a quadratic nonresidue p, we have 

= 1 (mod p), {p'f~^ = -1 (mod p) 

(s + l \ 2 s + l 

5~ j = 6 (mod p). It means that 5~ is a 

square root of 6. In this case, it only takes time 0(log(s)log^p). 

If t > 2, then (5**)^*"' (mod p) G {1, -1}. Take /ci = or 1 such that 

{p'f'^'^' = 1 (mod p) 

Take A;2 = or 1 such that 

(5^f~' (P^)''" '^ {pn''" '''^l{mod p) 
Likewise, we obtain fcs, • • • , kt-i € {0, 1} such that 

Finally, we have 

To find a quadratic non-residue /?, it requires to check that [^] 7^ 1. The computation takes 
time 0{\og^p). If we do this for more than 0(l)logp different randomly chosen p, then with 
probability > 1 — (^)'^^^^ at least one of them will give a quadratic non-residue. Thus, to find a 
quadratic nonresidue p, it takes expected time O(log'^p). To compute 6^* ' ^ (mod p), it takes 
time 0{{t — i — l)log^p). Since there are l-|-2-|-----|-(t — 1) = steps, the loop takes time 

0{t^log^p). Thus, the total estimate is 0{log^p + tHog^p). At worst (if almost all of p — 1 is a 
power of 2), this is 0{log'^p). 

3.2 Adleman-Manders-Miller square root extraction method in Fpm 

As we mentioned before, the Adleman-Manders-Miller method in the extension field Fpm differs 
from the method in the base field Fp because one can not determine a quadratic non-residue by 
computing the Legendre Symbol. 
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Table 1: Adleman-Manders-Miller square root extraction algorithm in Fp 



Input: Odd prime p and a quadratic residue 5. 
Output: A square root of 5. 

Step 1: Choose p uniformly at random from F*. 

Compute [^] using Euclidean-like algorithm. 
Step 2: if [£] = 1, go to Step 1. 

Step 3: Compute t, s such that p — \ = 2*s, where s is odd. 

Compute a ^ p^,b 6^, h ^ 1. 
Step 4: for i = 1 to t - 1 
compute d = b"^* 
if d=l, /c^O 
else k 1 
6^6- (a^)'^, h h ■ 
a a? 
end for 

3 + 1 

Step 5: return 5 ■ h 



9-1 

Set q = p"^. To find a quadratic non-residue p, it requires to check that pa ^ 1. The 
computation takes time ©(log^g'). If we do this for more than 0{l)\ogq different randomly 
chosen p, then with probability > 1 — (|)*^^^^ at least one of them will give a quadratic non- 
residue. Thus, to find a quadratic nonresidue p, it takes expected time O(log^g). 

To compute 6^' ' \ it takes time 0{{t — i — l)log^g). Since there are 1 -|- 2 -|- • • • -|- (t — 1) 
steps, the loop takes time O(i^log^g). Thus, the final estimate is 0(log^g -|- t^log^g). 

4 Adleman-Manders-Miller cubic root extraction method 

In 2009, Nishihara et al. [9] specified the Adleman-Manders-Miller method for cube root extrac- 
tion. See the following description. 

Set q = p™. The cubic root extraction algorithm takes time 0(log^g -|- i^log^g). As for this 
claim, we refer to the complexity analysis of Adleman-Manders-Miller square root extraction 
algorithm in Section 3.2. 
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Table 2: Adleman-Manders-Miller square root extraction algorithm in Fpm 



Input: Odd prime a positive integer m and a quadratic residue 5. 
Output: A square root of 5. 

Step 1 : Choose p uniformly at random from F*m . 
Step 2: if p 2 =1, go to Step 1. 

Step 3: Compute t, s such that p™" — 1 = 2*s, where s is odd. 

Compute a ^ p^,b ^ 5^, h ^ 1. 
Step 4: for i = 1 to t - 1 
compute (1 = 1?^ ^ 
if d = 1, /c ^ 
else k ^ \ 
h -^h ■ {a^Y, h -(^ h- 
a a? 
end for 

3 + 1 

Step 5: return 5 ■ h 



5 Specification of Adleman-Manders-Miller rth Root Extrac- 
tion Method 

Consider the general problem to find a solution to X"^ = 6 m. Fq. Clearly, it suffices to consider 
the following two cases: 

(1) (r,g-l) = l; (2)r|g-l. 

If (r, q — 1) = 1, then 6"^ ^ is a rth root of 5. Therefore, it suffices to consider the case that 
r\q — 1. 

Adleman, Manders and Miller [1] had mentioned how to extend their square root extraction 
method to rth root extraction, but not specified it. We now clarify it as follows. 

If r\q — 1, we write p — 1 in the form r* • s, where (s,r) = 1. Given a rth residue 5, we 
have {5^Y = 1. Since (s,r) = 1, it is easy to find the least nonnegative integer a such that 
s\ra — 1. Hence, 

(d^^-^Y ' = 1 (1) 

If t — 1 = 0, then 5" is a rth root of 8. From now on, we assume that t>2. 
Given a rth non-residue p (z Fq, we have 

(/'T*"/ (/^T''" where i^i, j e {0, 1, • • • , r - 1} 
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Table 3: Adleman-Manders-Miller cubic root extraction algorithm in FpTn 



Input: Odd prime p, a positive integer m and a cubic residue S. 
Output: A cubi root of 5. 



Step 


1: Choose p uniformly at random from F*m. 


Step 


2: if p 3 =1, go to Step 1. 


Step 


3: Compute t, s such that — 1 = 3*s, where s = 3Z it 1. 




Compute a p^, a' p^* 6 5*, /i 1. 


Step 


4: for i = 1 to t — 1 




compute d = b^* ^ 




if d=l,k^O, 




else if d = a', A; 2 




else A; 1 








a-^ a? 




end for 


Step 


5: r 5^h 




if s = 3/ + 1, r 




return r 



Set 

Ki = {p'f'~' and K = {Ko,Ku-- ■,Kr-i} 
It is easy to find that all Ki satisfy = 1. Since 

there is a unique Ji £ {0, 1, • • • , r — 1} such that 

where Kr = Kq. Hence, 
That is 

(<5™-i)''' ' (py = 1 (2) 
By the way, to obtain ji one has to solve a discrete logarithm. 
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Likewise, there is a unique ^2 G {0, 1, • • • , r — 1} such that 
Consequently, we can obtain ji, - ■ ■ ,jt-i such that 

(^gra-l^ ^psyi-r ^^.y'^-r^ . . . ^pSyt-i-r''' = l 

Thus, we have 
It means that 

^pSyi+j2-r+---jt-i-r*-'^ 

is a rth root of S. 

Table 4: Adleman-Manders-Miller rth root extraction algorithm in 

Input: Fq and a rth residue 6, r\q — 1. 
Output: A rth root of S. 

Step 1: Choose p uniformly at random from F*. 
Step 2: if p r =1, go to Step 1. 

Step 3: Compute t, s such that q — 1 = r^s, where (r, s) = 1. 

Compute the least nonnegative integer a such that s\ra — 1. 

Compute a ^ p*** ^■'^,b c <- p*, /i ^ 1 

Step 4: for i = 1 to t - 1 

t — l—i 

compute d = 
if d=l, j^O, 

else j i log^ d (compute the discrete logarithm) 

b^b{cy, h^hc^ 
c c 
end for 
Step 5: return 5" ■ h 



6 Complexity analysis of Adleman-Manders-Miller rth Root Ex- 
traction Method 

We now discuss the time estimate for this rth root extraction algorithm. 
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(3) 

(4) 
(5) 



q-1 

To find a rth non-residue p, it requires to check that p r ^1. The computation takes 
time 0{log^q). If wc do this for more than 0{l)logq different randomly chosen p, then with 
probabiHty > at least one of them will give a rth non-residue. Therefore, the expected 

time of finding a rth non-residue is 0{log^q). 

The work done outside the loop amounts to just a handful of exponentiations. Hence, it 
takes time 0{log^q). To compute 6*^'* ' \ it takes time 0{{t — i — l)logrlog^g). Since there are 
1 + 2 H \- {t - 1) steps, it takes time 0{tHogrlog^q). 

To compute the discrete logarithm log^ d, it takes time 0{rlog'^q) using brute-force search. 
Since there are t — I discrete logarithms at worst, it takes time 0{trlog'^q). 

Thus, the final estimate is 0(log'^g + rlog^q). Notice that the algorithm can not run in 
polynomial time if r is sufficiently large. 

7 Conclusion 

The basic idea of Adleman-Manders-Miller root extraction method and its complexity analysis 
have not specified in the past decades. In this paper, we clarify the method and analyze its 
complexity. We think our heuristic presentation is helpful to grasp the method entirely and 
deeply. 
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